Server-supported malware detection and protection

US 10,305,923 B2
Filed: 06/30/2017
Issued: 05/28/2019
Est. Priority Date: 06/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a first server, a first file attribute from a first computing device, the first file attribute associated with a first file, the first server comprising a first trained classification model and a first prediction cache;

determining at the first server, based on the first file attribute, that a classification for the first file indicating whether the first file is benign or malicious is unavailable at the first prediction cache;

subsequent to determining that the classification for the first file is unavailable at the first prediction cache, sending the first file attribute from the first server to a master server to determine whether the classification for the first file is available at a base prediction cache of the master server;

subsequent to sending the first file attribute from the first server to the master server, receiving a notification at the first server from the master server that the classification for the first file is unavailable at the base prediction cache;

in response to receiving the notification, determining the classification for the first file at the first server by performing, at the first server, an analysis of a second file attribute based on the first trained classification model, wherein the second file attribute is associated with the first file and is requested by the first server from the first computing device after receiving the notification, and wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the first file;

sending the classification determined at the first server from the first server to the first computing device; and

sending at least the classification determined at the first server from the first server to the master server for storage in the base prediction cache and for transmission from the master server to at least one second computing device via at least one second server responsive to receipt of the first file attribute from the at least one second computing device via the at least one second server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving, at a server, a first file attribute from a computing device, the first file attribute associated with a file. The method also includes determining, based on the first file attribute, that a classification for the file is unavailable. The method further includes determining the classification for the file based on a trained file classification model accessible to the server and sending the classification to the computing device. The method includes sending at least the classification to a base prediction cache associated with a second server.

Citations

20 Claims

1. A method comprising:
- receiving, at a first server, a first file attribute from a first computing device, the first file attribute associated with a first file, the first server comprising a first trained classification model and a first prediction cache;
  
  determining at the first server, based on the first file attribute, that a classification for the first file indicating whether the first file is benign or malicious is unavailable at the first prediction cache;
  
  subsequent to determining that the classification for the first file is unavailable at the first prediction cache, sending the first file attribute from the first server to a master server to determine whether the classification for the first file is available at a base prediction cache of the master server;
  
  subsequent to sending the first file attribute from the first server to the master server, receiving a notification at the first server from the master server that the classification for the first file is unavailable at the base prediction cache;
  
  in response to receiving the notification, determining the classification for the first file at the first server by performing, at the first server, an analysis of a second file attribute based on the first trained classification model, wherein the second file attribute is associated with the first file and is requested by the first server from the first computing device after receiving the notification, and wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the first file;
  
  sending the classification determined at the first server from the first server to the first computing device; and
  
  sending at least the classification determined at the first server from the first server to the master server for storage in the base prediction cache and for transmission from the master server to at least one second computing device via at least one second server responsive to receipt of the first file attribute from the at least one second computing device via the at least one second server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first server is associated with a first enterprise.
  - 3. The method of claim 2, wherein the master server is communicably coupled to a plurality of enterprise servers associated with a plurality of enterprises, each of the plurality of enterprise servers configured, in response to determining that a particular classification for a particular file is unavailable at a respective local prediction cache, to query the master server for the particular classification prior to executing a respective local trained classification model to determine the particular classification.
  - 4. The method of claim 2, wherein the first prediction cache corresponds to an enterprise prediction cache.
  - 5. The method of claim 1, wherein the first file attribute includes a secure hash algorithm (SHA) hash value determined from the first file.
  - 6. The method of claim 5, wherein the second file attribute comprises at least one of:
    - one or more n-gram vectors indicating occurrences of character pairs in printable characters representing content of the first file, ora sequence of entropy indicators, each entropy indicator of the sequence of entropy indicators corresponding to a chunk of the first file.
  - 7. The method of claim 5, wherein the second file attribute comprises an entropy indicator n-gram vector, the entropy indicator n-gram vector indicating occurrences of a plurality of n-grams in a sequence of entropy indicators representing the first file, a first entropy indicator of the sequence corresponding to a first bin name associated with a first range of entropy values, a second entropy indicator of the sequence corresponding to a second bin name associated with a second range of entropy values, each of the plurality of n-grams comprising a combination of multiple bin names, wherein n is an integer greater than or equal to two.
  - 8. The method of claim 1, further comprising:
    - receiving, at the first server at a time subsequent to sending at least the classification to the master server, an updated version of the first trained classification model, wherein the updated version of the first trained classification model is not trained using the classification in response to the classification indicating that the first file is benign.
  - 9. The method of claim 8, wherein the first server is associated with a first enterprise, and wherein the updated version of the first trained classification model corresponds to a base trained classification model that undergoes additional training iterations based on files predicted to be more frequently encountered at the first enterprise than at a second enterprise.
  - 10. The method of claim 1, further comprising:
    - receiving, at the first server, a third file attribute from a third computing device, the third file attribute associated with a second file received by the third computing device; and
      
      sending, from the first server to the third computing device, a second classification indicating whether the second file is benign or malicious, wherein permission to access the second file or execute the second file at the third computing device is based on the second classification, wherein the second classification is determined from the first prediction cache without querying the master server regarding the third file attribute.
  - 11. The method of claim 1, further comprising:
    - storing the classification received from the master server at the first prediction cache; and
      
      after storing the classification at the first prediction cache, sending the stored classification to a third computing device without re-transmitting the first file attribute to the master server.

12. A processor-readable storage device storing instructions that, when executed, cause a processor to perform operations comprising:
- receiving, at a first server, a first file attribute from a first computing device, the first file attribute associated with a first file, the first server comprising a first trained classification model and a first prediction cache;
  
  determining at the first server, based on the first file attribute, that a classification for the first file indicating whether the first file is benign or malicious is unavailable at the first prediction cache;
  
  subsequent to determining that the classification for the first file is unavailable at the first prediction cache, sending the first file attribute from the first server to a master server to determine whether the classification for the first file is available at a base prediction cache of the master server;
  
  subsequent to sending the first file attribute from the first server to the master server, receiving a notification at the first server from the master server that the classification for the first file is unavailable at the base prediction cache;
  
  in response to receiving the notification, determining the classification for the first file at the first server by performing, at the first server, an analysis of a second file attribute based on the first trained classification model, wherein the second file attribute is associated with the first file and is requested by the first server from the first computing device after receiving the notification, and wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the first file;
  
  sending the classification determined at the first server from the first server to the first computing device; and
  
  sending at least the classification determined at the first server from the first server to the master server for storage in the base prediction cache and for transmission from the master server to at least one second computing device via at least one second server responsive to receipt of the first file attribute from the at least one second computing device via the at least one second server.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The processor-readable storage device of claim 12, wherein the first server is associated with a first enterprise.
  - 14. The processor-readable storage device of claim 12, wherein the first file attribute includes a secure hash algorithm (SHA) value determined from the first file.
  - 15. The processor-readable storage device of claim 12, wherein the master server is communicably coupled to a plurality of enterprise servers associated with a plurality of enterprises, each of the plurality of enterprise servers configured, in response to determining that a particular classification for a particular file is unavailable at a respective local prediction cache, to query the master server for the particular classification prior to executing a respective local trained classification model to determine the particular classification.
  - 16. The processor-readable storage device of claim 12, wherein the operations further comprise receiving, at the first server at a time subsequent to sending at least the classification to the master server, an updated version of the first trained classification model, wherein the updated version of the first trained classification model is not trained using the classification in response to the classification indicating that the first file is benign.

17. A system comprising:
- a master server comprising a base prediction cache and a base trained classification model;
  
  a first enterprise server communicably coupled to at least a first computing device, the first enterprise server comprising a first prediction cache and a first trained classification model; and
  
  a second enterprise server communicably coupled to at least a second computing device, the second enterprise server comprising a second prediction cache and a second trained classification model,the first enterprise server configured to perform operations comprising;
  
  receiving a first file attribute from the first computing device, the first file attribute associated with a file;
  
  determining, based on the first file attribute, that a classification for the file indicating whether the file is benign or malicious is unavailable at the first prediction cache;
  
  subsequent to determining that the classification for the file is unavailable at the first prediction cache, sending the first file attribute to the master server to determine whether the classification for the file is available at the base prediction cache;
  
  in response to receiving from the master server a notification that the classification is unavailable at the base prediction cache, sending a request to the first computing device for a second file attribute that is associated with the file, wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the file;
  
  determining the classification for the file by performing an analysis of the second file attribute based on the first trained classification model;
  
  sending the classification to the first computing device; and
  
  sending at least the classification to the master server; and
  
  the master server configured to perform operations comprising;
  
  storing the classification received from the first enterprise server in the base prediction cache; and
  
  after storing the classification in the base prediction cache, sending the stored classification to the second computing device via the second enterprise server responsive to receiving the first file attribute from the second computing device via the second enterprise server.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein:
    - the first enterprise server is configured, in response to determining that a particular classification for a particular file is unavailable at the first prediction cache, to query the master server for the particular classification prior to executing the first trained classification model to determine the particular classification; and
      
      the second enterprise server is configured, in response to determining that the particular classification for the particular file is unavailable at the second prediction cache, to query the master server for the particular classification prior to executing the second trained classification model to determine the particular classification.
  - 19. The system of claim 17, wherein the first file attribute includes a secure hash algorithm (SHA) value determined from the file.
  - 20. The system of claim 17, further comprising the first computing device, wherein the first computing device is configured to determine an entropy indicator n-gram vector corresponding to the second file attribute, the entropy indicator n-gram vector indicating occurrences of a plurality of n-grams in a sequence of entropy indicators representing the file, a first entropy indicator of the sequence corresponding to a first bin name associated with a first range of entropy values, a second entropy indicator of the sequence corresponding to a second bin name associated with a second range of entropy values, each of the plurality of n-grams comprising a combination of multiple bin names, wherein n is an integer greater than or equal to two.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SparkCognition Inc.
Original Assignee
SparkCognition Inc.
Inventors
McLane, Lucas, Capellman, Jarred
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US15/639,520
Publication Number

US 20190007433A1
Time in Patent Office

697 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/27   Replication, distribution o...

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06F 21/566   Dynamic detection, i.e. det...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

G06N 20/20   Ensemble learning

G06N 3/08   Learning methods

G06N 5/01   Dynamic search techniques; ...

G06N 5/04   Inference or reasoning models

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 9/0643   Hash functions, e.g. MD5, S...

Server-supported malware detection and protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Server-supported malware detection and protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links